MSAL令牌在1小时后过期 [英] MSAL token expires after 1 hour
问题描述
我在Xamarin应用程序中使用MSAL进行Azure AD身份验证.令牌的有效期为1天(使用AuthenticationResult的 ExpiresOn 的值查看). 我的问题是1小时后,AcquireTokenSilentAsync失败,然后需要调用AcquireToken.
I am using MSAL for Azure AD authentication in a Xamarin app. The validity of the token is 1 day (seen using the value of ExpiresOn of AuthenticationResult). My problem is that, after 1 hour, AcquireTokenSilentAsync fails and then AcquireToken needs to be called.
即使令牌有效期为1天,刷新令牌的有效期甚至更长,我也无法理解,为什么它每隔1小时要求进行身份验证? 可以使用任何参数值或任何其他方式更改此设置吗?
I am not able to understand that even though the token validity is 1 day, and the validity of refresh token is even more, why is it asking for authentication after every 1 hour ? Can this be changed using any parameter value or any other way ?
推荐答案
仅作一点说明,MSAL并不会实际发行令牌或决定令牌过期,而是从Azure AD STS摄取获取令牌.
Just to make a small clarification, MSAL doesn't actually issue tokens or decide a token expiration, but rather ingests an acquires token from the Azure AD STS.
当调用AcquireTokenSilentAsync时,MSAL将在过期后自动刷新您的访问令牌.由于某种令牌高速缓存未命中,您可能无法获得自动的静默刷新.在看不到您的代码的情况下很难说出具体的问题,但我建议将其与官方的MSAL Xamarin代码示例.
MSAL will automatically refresh your access token after expiration when calling AcquireTokenSilentAsync. You're likely not getting automatic silent refreshes due to some kind of token cache miss. It's hard to say the specific issue without seeing your code, but i'll recommend comparing it against the official MSAL Xamarin code sample.
如果您要构建Xamarin应用,则它是公共客户端.现在默认的令牌到期时间是:
If you're building a Xamarin app, then it's a public client. The default token expirations right now are:
访问令牌: 1小时
Access Tokens: 1 hour
刷新令牌: :90天,14天的非活动滑动窗口
Refresh Tokens: 90 days, 14 day inactive sliding window
Azure AD确实允许您在PowerShell中配置这些令牌到期.您可以定义令牌生存期策略,然后将其分配给整个租户/组织或应用程序对象上的特定服务主体.要记住的另一件事是,如果您要为特定资源请求令牌,则必须在该资源上设置策略,而不是在请求服务主体或应用程序上设置策略.有关此的更多信息,请检出配置令牌Azure AD中的生命周期.
Azure AD does allow you to configure these token expirations in PowerShell. You can define a token lifetime policy and then assign it to the specific Service Principal, across the tenant/organization, or on the application object. The other thing to keep in mind is if you're requesting a token for a specific resource, then the policy must be set on that resource rather than the requesting service principal or app. For more info on this, checkout configuring token lifetime in Azure AD.
这篇关于MSAL令牌在1小时后过期的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
